[vlc-devel] [PACKAGERS] libavformat leak security advisory
Michael Niedermayer
michaelni at gmx.at
Tue Jan 19 20:49:35 CET 2016
Hi
On Sat, Jan 16, 2016 at 04:13:10PM +0200, Rémi Denis-Courmont wrote:
> tl;dr:
> 1) The libavformat vulnerability affects VLC.
> 2) The FFmpeg 2.8.5 release does NOT address the vulnerability.
>
> Hello,
>
> As many of you already by now, there is a lot of fuss about an information
> leak vulnerability in libavformat at the moment. The issue affects both libav
> and FFmpeg sides of the forked project.
>
> At the time of writing, fixing efforts have concentrated on the libavformat
> HLS implementation. Because the root cause of the problem is not in HLS, those
> efforts have failed.
>
> On the one hand, the libav project has one unmerged patch to address the
> problem. The patch does not address the VLC vulnerability. On the other hand,
> the FFmpeg project has made a release claiming to fix the problem (2.8.5). The
> release does not fix the problem.
If you know of a security issue in FFmpeg 2.8.5, please provide details
about that. Iam not aware of a remaining related issue and none
was reported to ffmpeg-security.
Also if you have a patch fixing an issue, as you describe, please
share that patch so we can fix any remaining issue in FFmpeg
Thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The real ebay dictionary, page 1
"Used only once" - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20160119/9c21897f/attachment.sig>
More information about the vlc-devel
mailing list